FUD—fear, uncertainty, and doubt—is usually met with relentless mockery in the cyber security world, since it’s sometimes used to try to frighten people into buying a product.
But nobody was mocking the FUD generated by a live simulation of a hack of an infusion pump that then delivered a massive overdose of medication to a “patient” who had been admitted to a hospital with the relatively common heart malfunction known as Afib.
The session was titled “Hacking Healthcare: Bits and Bytes Meet Flesh and Blood,” and it was meant to illustrate session leader Josh Corman’s main point—that “healthcare is in critical condition.”
Corman, CSO at PTC and a founder of I Am the Cavalry, said the overall reason for that is the ongoing reality that “our dependence on technology is moving much faster than our ability to secure it.”
Corman was joined by two physicians who are also hackers—Christian Dameff, an ER doctor, and Jeff Tully, a pediatrician and anesthesiologist.
The two of them, along with a couple of colleagues and a volunteer physician who had not been told about the scenario, then demonstrated, mostly on a mannequin, the emergency that could be created if an infusion pump was compromised. In this case, it was a massive overdose in minutes of a medication that was supposed to have been administered over a day or more.
Hacking of specific devices is not the only risk, of course. The infamous WannaCry ransomware attack a year ago affected at least 80 hospitals in the U.K., the United States, and beyond. In some cases, surgeries had to be canceled or postponed.
Corman pointed to a report in the New England Journal of Medicine that looked at delays in emergency care and mortality during major U.S. marathons—events that are planned well in advance and are therefore obviously not a surprise.
Even then, delays caused by street closures or other traffic can cause delays in emergency treatment. The obvious point is that a surprise cyber attack can put patients at much greater risk.
That and other events have brought much more awareness of cyber security risks to the healthcare industry, Corman said, noting that he had been a member of the Health Care Industry Cyber Security Task Force, which issued a Report on Improving Cybersecurity in the Health Care Industry in June 2017.
Indeed, just this week the FDA announced its Medical Device Safety Action Plan, which, among other things, seeks the authority to require medical device manufacturers to include updating and patching capabilities in their product designs. What a concept!
But Corman and the physicians said the “last mile” in addressing vulnerabilities in healthcare is in the clinical environment, where doctors want to treat their patients and don’t want to have to worry about trusting their equipment.
They agreed that this is the way things ought to be—that “connected technology has to be trustworthy”—but it is not the reality today.
Corman noted the benefits of government regulations like HIPAA, which have been relatively effective in protecting patient privacy. But he also noted that privacy isn’t worth much if the lifesaving treatment you need is disabled by a hack or ransomware that shuts down a hospital’s operation.
“I love my privacy,” he said, “but I would like to be alive to enjoy it.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.